-
gnupg (1.2.4-4ubuntu2.3) warty-security; urgency=low
* SECURITY UPDATE: Fix signature verification bypass.
* Add debian/patches/24_multisig.dpatch:
- Apply upstream patch to fix correct verification on invalid multiple
signatures.
- CVE-2006-0049
-- Martin Pitt <email address hidden> Mon, 13 Mar 2006 12:46:22 +0000
-
gnupg (1.2.4-4ubuntu2.2) warty-security; urgency=low
* SECURITY UPDATE: Fix potential signature verification bypass.
* Add debian/patches/23_verify_exit_code.dpatch:
- Security fix for a verification weakness in gpgv. Some input
could lead to gpgv exiting with 0 even if the detached signature
file did not carry any signature. This is not as fatal as it
might seem because the suggestion as always been not to rely on
th exit code but to parse the --status-fd messages. However it
is likely that gpgv is used in that simplified way and thus we
do this release. Same problem with "gpg --verify" but nobody
should have used this for signature verification without
checking the status codes anyway.
- Upstream patch from 1.4.2.1.
- CVE-2006-0455
-- Martin Pitt <email address hidden> Fri, 17 Feb 2006 11:11:51 +0000
-
gnupg (1.2.4-4ubuntu2.1) warty-security; urgency=low
* SECURITY UPDATE: Fix possible encryption weakening.
* Add debian/patches/17_disable_quick_scan.dpatch:
- Disable quick scan feature to avoid being vulnerable to Serge Mister'
and Robert Zuccherato's timing attack.
- CAN-2005-0366
-- Martin Pitt <email address hidden> Fri, 19 Aug 2005 16:15:14 +0200
-
gnupg (1.2.4-4ubuntu2) warty; urgency=low
* Do not configure with --with-capabilities, and do not install gnupg as
suid root any more since the Ubuntu kernel now supports calling mlock() as
user.
-- Martin Pitt <email address hidden> Tue, 14 Sep 2004 07:57:14 +0200
